Samsung Electronics has launched a new initiative that will reward researchers who would report security and privacy flaws found within its apps and software. The manufacturer states that the rewards program was instituted to show appreciation to individuals and experts who track down and report software flaws. According to the South Korean tech firm's representatives, the Samsung Mobile Security Rewards Program will compensate people who discover vulnerabilities found in the firm's handsets and tablets ranging from the flagship devices of the Galaxy S and Galaxy Note lineups to low-end models. In addition, the program also covers vulnerabilities found in applications developed by the company, as well as the third-party apps specific to the manufacturer's handsets. Those who find software flaws may submit a report detailing the vulnerability along with a valid Proof-of-Concept via Samsung's Security Reporting Page.
After the manufacturer receives the report, its security team will categorize the threat into one of four levels – Critical, High, Moderate, and Low. Threats deemed critical include vulnerabilities that could bypass the smartphone's Secure Boot and those that could execute arbitrary code in the software's Trusted Execution Environment, which may consequently compromise users of Samsung Pay. Individuals who report critical security flaws are entitled to a prize of up to $200,000, but if their submission lacks the necessary Proof-of-Concept, the monetary reward may be significantly reduced, with the minimum amount that users may get for reporting vulnerabilities being $200. The tech firm notes that it may take up to two months before the rewards are given to qualified individuals and the process may take even longer if the required documents are not submitted on time.
Samsung noted that any vulnerability that requires both a physical connection to the device and a developer debugging tool, whether ADB or similar solutions, is not eligible for the prize, presumably because only a small percentage of users actually tinker with their devices in such a manner. Also ineligible for the bounty are vulnerabilities already covered by bounty programs spearheaded by Google and Qualcomm. Once the reports are submitted to the company, researchers may not discuss the loophole in public, unless the company provides them with the necessary permission to do so.